Re: [Snort-users] Placing Snort
This is a discussion on Re: [Snort-users] Placing Snort within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------=_NextPart_000_0067_01C49003.06EFD8A0 Content-Type: text/plain; charset="iso-8859-1&...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-01-2004
|
|||
|
|||
Re: [Snort-users] Placing Snort
This is a multi-part message in MIME format.
------=_NextPart_000_0067_01C49003.06EFD8A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ----- Original Message -----=20 From: Chandana Bandara=20 To: Snort=20 Sent: Wednesday, September 01, 2004 2:30 AM Subject: [Snort-users] Placing Snort hi I implemented snort in this way=20 Internet ---------------> Router -----------------------> Firewall = ---------------------> Snort--------------------> switch = -----------------> LAN Well, from what you have above, I assume you have snort sitting on a = switch port which is mirroring traffic to/from firewall, and this is the = way most people set it up (though there are many ways things like this = can be set up). You want to make sure that whatever NIC you have = plugged into this port is in promisc. mode (so it can see all traffic), = and even better, if the NIC can be enabled w/out an IP address (prevents = the sensor from reacting to traffic from the NIC itself). Another = method would be to make a cat-5 cable which only has the receive pins = connected (no transmit) on the side which goes to the computer running = snort (this ensures that snort can ONLY listen to traffic and never send = anything, even by accident). Bill ------=_NextPart_000_0067_01C49003.06EFD8A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <BLOCKQUOTE dir=3Dltr=20 style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; = BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px"> <DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV> <DIV=20 style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: = black"><B>From:</B>=20 <A title=3Dchandana@dialogsl.net = href=3D"mailto:chandana@dialogsl.net">Chandana=20 Bandara</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20 title=3Dsnort-users@lists.sourceforge.net=20 href=3D"mailto:snort-users@lists.sourceforge.net">Snort</A> </DIV> <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Wednesday, September 01, = 2004 2:30=20 AM</DIV> <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> [Snort-users] Placing=20 Snort</DIV> <DIV><BR></DIV> <DIV><FONT face=3DArial size=3D2>hi</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I implemented snort in this way = </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Internet ---------------> Router=20 -----------------------> Firewall --------------------->=20 Snort--------------------> switch -----------------> = LAN</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Well, from what you have above, I = assume you have=20 snort sitting on a switch port which is mirroring traffic to/from = firewall,=20 and this is the way most people set it up (though there are many ways = things=20 like this can be set up). You want to make sure that whatever = NIC you=20 have plugged into this port is in promisc. mode (so it can see all = traffic),=20 and even better, if the NIC can be enabled w/out an IP address = (prevents the=20 sensor from reacting to traffic from the NIC itself). Another = method=20 would be to make a cat-5 cable which only has the receive pins = connected (no=20 transmit) on the side which goes to the computer running snort (this = ensures=20 that snort can ONLY listen to traffic and never send anything, even by = accident).</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Bill</FONT></DIV> <DIV><FONT face=3DArial = size=3D2></FONT> </DIV></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0067_01C49003.06EFD8A0-- ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
